← 返回 Skills 市场
437
总下载
0
收藏
1
当前安装
1
版本数
在 OpenClaw 中安装
/install skill-listing-image-optimizer
功能描述
Audit Amazon product listing images for non-square dimensions, auto-pad them to 2000×2000 white background, and push corrected images to live listings via SP...
安全使用建议
This package appears to implement the advertised workflow, but there are three things to check before installing or giving it credentials:
1) Credentials: The tool requires Amazon SP‑API credentials (LWA client id/secret and a refresh token) via a JSON file pointed to by AMAZON_SPAPI_PATH, but the package metadata does not declare these requirements — treat that as a red flag and only provide such credentials to code you fully trust. Those credentials can modify listings, so limit their scope and revoke them if you stop using the tool.
2) Public HTTP server: push_images.js binds an HTTP server to 0.0.0.0 and exposes files from the specified directory for ~15 minutes so Amazon can crawl them. Run this in a locked-down environment (dedicated VM/VPS), ensure the served directory contains only the intended image files, restrict network access (firewall, allowlist), or prefer uploading images to S3 and providing pre-signed URLs instead.
3) Packaging inconsistencies: SKILL.md references fix_title.js but that file is missing from the bundle; metadata doesn't list required env vars. Review the included scripts manually (they are short) to ensure there is no hidden exfiltration or unrelated file access. If the maintainer can update metadata to declare required credentials and fix the missing file, and you validate the code, the skill would be more trustworthy.
If you are not comfortable providing SP‑API credentials or exposing a public port, do not install or run this skill. If you proceed, do so in an isolated environment and rotate/revoke credentials afterward.
功能分析
Type: OpenClaw Skill
Name: skill-listing-image-optimizer
Version: 1.0.0
The skill is classified as suspicious due to a significant path traversal vulnerability in `scripts/push_images.js`. This script starts a local HTTP server on a publicly accessible port (`0.0.0.0:8899`) to serve images to Amazon's crawlers. The server's file path construction (`path.join(dir, req.url.replace(/^//, ''))`) is vulnerable to path traversal, potentially allowing an attacker to read arbitrary files from the host system if the server's IP and port are discovered. While the public server is plausibly needed for the stated purpose, this vulnerability, combined with the broad network exposure, poses a high risk of information disclosure. The skill also handles sensitive Amazon SP-API credentials and makes external network calls, but these actions are aligned with its stated purpose and lack clear malicious intent.
能力评估
Purpose & Capability
The code files (audit.js, pad_to_square.py, push_images.js) match the stated purpose (audit images, pad to 2000×2000, and upload via SP‑API). However the skill metadata claims 'Required env vars: none' and 'Primary credential: none' while the SKILL.md and code require an Amazon SP‑API credentials JSON (lwaClientId, lwaClientSecret, refreshToken, sellerId, marketplace). Also SKILL.md documents a fix_title.js script but that file is not present in the package — an incoherence that could indicate incomplete packaging or missing functionality.
Instruction Scope
The runtime instructions are explicit about installing Pillow and amazon-sp-api and creating an SP‑API credentials file. The push_images script starts an HTTP server bound to 0.0.0.0 and advertises serving images from the local host (or using S3/Cloudflare). Serving files publicly is necessary for the described Amazon-crawl technique but increases exposure: any file in the served directory could be accessible if mis-specified. The instructions do not emphasize limiting the served directory, firewalling the port, or using pre-signed S3 URLs (safer). The SKILL.md also references a missing fix_title.js, which is inconsistent with the file manifest.
Install Mechanism
There is no custom install script; dependencies are standard (pip Pillow, npm amazon-sp-api). No downloads from arbitrary URLs or archive extraction occur. The lack of an install spec keeps risk lower; code is shipped with the skill and runs locally.
Credentials
The only sensitive data required by the code is Amazon SP‑API credentials (LWA client id/secret, refresh token, sellerId, marketplace), which are appropriate for a tool that patches listings. However the skill metadata failed to declare this requirement (no required env vars / primary credential), which is misleading and prevents informed consent. The code also optionally reads PRODUCT_TYPE from env and expects AMAZON_SPAPI_PATH (documented in SKILL.md but not declared in metadata).
Persistence & Privilege
The skill does not request always:true and doesn't attempt to modify other skills or system-wide settings. It runs as-invoked and cleans up its temporary HTTP server after 15 minutes. Autonomous invocation is allowed by default but is not combined here with other high-risk privileges.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install skill-listing-image-optimizer - 安装完成后,直接呼叫该 Skill 的名称或使用
/skill-listing-image-optimizer触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release — audit, pad, and push square Amazon listing images via SP-API
元数据
常见问题
Amazon Listing Image Optimizer 是什么?
Audit Amazon product listing images for non-square dimensions, auto-pad them to 2000×2000 white background, and push corrected images to live listings via SP... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 437 次。
如何安装 Amazon Listing Image Optimizer?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install skill-listing-image-optimizer」即可一键安装,无需额外配置。
Amazon Listing Image Optimizer 是免费的吗?
是的,Amazon Listing Image Optimizer 完全免费(开源免费),可自由下载、安装和使用。
Amazon Listing Image Optimizer 支持哪些平台?
Amazon Listing Image Optimizer 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Amazon Listing Image Optimizer?
由 Zero2Ai(@zero2ai-hub)开发并维护,当前版本 v1.0.0。
推荐 Skills